Medium severity6.1NVD Advisory· Published Aug 14, 2017· Updated May 13, 2026

CVE-2017-9802

Description

The Javascript method Sling.evalString() in Apache Sling Servlets Post before 2.3.22 uses the javascript 'eval' function to parse input strings, which allows for XSS attacks by passing specially crafted input strings.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.sling:org.apache.sling.servlets.postMaven	< 2.3.22	2.3.22

Affected products

Apache/Sling Servlets Post
cpe:2.3:a:apache:sling_servlets_post:*:*:*:*:*:*:*:*
Range: <=2.3.20

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.securityfocus.com/bid/100284nvdThird Party AdvisoryVDB EntryWEB
github.com/advisories/GHSA-8c82-9rgp-4qvrghsaADVISORY
issues.apache.org/jira/browse/SLING-7041nvdIssue TrackingVendor AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2017-9802ghsaADVISORY
packetstormsecurity.com/files/143758/Apache-Sling-Servlets-Post-2.3.20-Cross-Site-Scripting.htmlnvdWEB
www.securityfocus.com/archive/1/541024/100/0/threadednvdWEB
lists.apache.org/thread.html/2f4b8333e44c6e7e0b00933bd4204ce64829952f60dbb6814f2cdf91@%3Cdev.sling.apache.org%3EghsaWEB
lists.apache.org/thread.html/2f4b8333e44c6e7e0b00933bd4204ce64829952f60dbb6814f2cdf91%40%3Cdev.sling.apache.org%3Envd

News mentions

No linked articles in our index yet.

cvss	0.397
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000